Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment methodology
Answer:
Basically if you want, you can develop your own methodology, and for this, you can use our recommendations, so this article can be interesting for you “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
By the way, our methodology for the risk assessment & treatment is based on 6 basic steps, which you can see here “ISO 27001 risk assessment & treatment - 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Regarding the asset risk register, first you need to identify assets, and after identify risks related to these assets (according to previous articles). So, for the identification of assets thi s article can be also interesting for you “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Finally, these materials will help you to perform the risk assessment & treatment in your organization:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Impact of document control on the company
Answer:
Control of documents is crucial for effective functioning of management system and organization. Document control represents set of rules for identification, publishing withdrawal and protection of the documents. Without it, it is impossible to maintain the system, to ensure that the proper documents are at the place of use or even if the documents in use are approved by the responsible person.
For more information, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
Assessing risks for laptops as separate assets?
Answer: Yes - in this case you should use 3 different assets since they obviously have different vulnerabilities, threats, likelihood and impact. You should use one "asset class" only if all assets in that class have very similar vulnerabilities, threats, likelihood and impact.
By the way, this free online training explains the details about risk assessment: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27003 for the implementation of ISO 27001
Answer:
You are right, ISO 27003 is a guideline that can help you to implement ISO 27001 in your organization. Anyway, we do not have specific information about this standard because we offer basically the same: a guideline to implement the standard -in an easy way- in your organization.
So, from my point of view, there are other ways more relevants that ISO 27003 to implement ISO 27001 in your organization (furthermore, ISO 27003 is a bit complex for small and medium sizes companies).
These articles can be useful for you:
- “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- “ISO 27001 project - How to make it work” : https://advisera.com/27001academy/blog/201 3/04/22/iso-27001-project-how-to-make-it-work/
Our toolkit can be also interesting for you, you can download a free version clicking on “Free demo” tab here “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Finally, these materials will help you for the implementation of ISO 27001 in your organization:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
ITIL and/or ISO 20000 implementation
Answer:
There is no pre-defined way on how to proceed i.e. no-one oblige you what to implement first.
ISO 20000 tells you "WHAT" you must implement in order to establish Service Management System (SMS) and ITIL tells you "HOW" to do it. So, I would suggest you to start ISO 20000 implementation (assuming that is the goal i.e. to set-up the SMS) and use ITIL to get the details.
See how ITIL and ISO 20000 complement in the articles
"ITIL and ISO 20000: A Comparison" https://advisera.com/20000academy/knowledgebase/itil-iso-20000-comparison/
"ISO 20000 and ITIL – How are they related?" https://advisera.com/20000academy/knowledgebase/iso-20000-and-itil-how-are-they-related/ -
ISO 27001 or AS ISO 27001?
Answer:
Basically ISO 27001 and AU/NZS ISO 27001 are the same standard, although ISO 27001 is the official version for all the world, and AU/NZS ISO 27001 is the Australian version copied from the official version (basically are the same).
Anyway, the current version of the ISO 27001 is the ISO 27001:2013, and the Australian version is the AS ISO 27001:2015 (there is no AU/NZS ISO 27001).
By the way, if you are interested in the implementation of the standard, this article can be interesting for you “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Finally, as you know, these materials will help you for the implementation of ISO 27001 in your organization:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Busine ss Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Consultant career
Would you please provide some guidelines on how to start a freelance consulting for InfoSec? As well as what would be the basics that should be included in the document.
Answer:
Regarding the document that you want, I am sorry but I am not sure if I have understood what is exactly you need. If you mean a document to present the information security (and your services as consultant) to any type of organization, we have a free presentation about ISO 27001 and about information security that can help you. You can download this presentation from our free download section “Why ISO 27001 - Awareness presentation” : https://advisera.com/27001academy/free-downloads/
And our project proposal for the ISO 27001 implementation can be also interesting for your potential clients “Project proposal for ISO 27001 implementation” : https://advisera.com/27001academy/free-downloads /
Regarding your information security career as freelance, you can follow these steps:
1.- Attend the courses about information security. This course can help you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
2.- Obtain a certification, for example ISO 27001 Lead Implementer.
3.- Acquire experience working for another consultant.
Finally, this article can be also interesting for you “How to become an ISO 27001 / ISO 22301 consultant” : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
And also can be interesting for you our Consultant Toolkit : https://advisera.com/27001academy/consultants/ -
Internal audit checklist questions
9.1 - "Is it defined what needs to be measured, by which method, who is responsible, who will analyze and evaluate the results?" Does this refer to the objectives? Also, does there need to be a document that shows each objective, what needs to be measured and who is responsible?
Answer: Setting the objectives is only one part of measurement - once you set the objectives, then you have to measure whether they are fulfilled. You can document objectives in one or several documents, see the details here: https://community.advisera.com/topic/monitoring-and-measurement-and-the-process-approach/
A6.1.2 - "Are duties and responsibilities defined in such a way to avoid conflict of interest, particularly with the information and systems where high risks are involved?" Do these duties include those beyond just IT?
Answer: Information security is not only about IT, it concerns all the functions in your company - therefore, A.6.1.2 is not for IT only - e.g. you can avoid conflict of interest in your finance department by asking for a double signature for signing payments in your bank account.
A16.1.7 - "Do procedures exist which define how to collect evidence that will be acceptable during the legal process?" How detailed does this need to be? Would saying we use a 3rd party to handle these procedures suffice?
Answer: The level of detail depends on what your local courts would find as acceptable - therefore, asking for someone with experience (e.g. consultant with legal experience, or a lawyer with information security experience) would certainly help you with this. It is not enough to say that 3rd party is in charge of something - you need to check whether they are really performing the activities they are hired for.
This free online training will also help you: ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Implement ISO 27001 and ISO 22301
2. Is there like a roadmap template that I can use to know how to plan the whole project?
Answers:
Regarding the question 1, the time depends by some factors (scope, complex of your company, etc), but generally the time of the implementation of both standards, from my point of view, can be between 6 - 12 months. Anyway, with this free tool you can calculate the time for the implementation of each standard in your organization “Free Calculator - Duration of ISO 27001/ISO 22301 Implementation” : https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
Regarding the second question, basically these articles can be also interesting for you:
- “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- “17 steps for implementing ISO 22301” : https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/ iso-22301/
- “ISO 27001 project - How to make it work” : https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
Finally, these materials will help you to know more about how to implement ISO 27001 in your organization:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Ejemplos para el alcance
Respuesta:
Te muestro algunos ejemplos:
- Definición del alcance del SGSI: Este artículo te puede ayudar a definir el alcance “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ y este también “Problemas para definir el alcance de la norma ISO 27001” : https://advisera.com/27001academy/es/blog/2010/06/29/problemas-para-definir-el-alcance-de-la-norma-iso-27001/
- Procesos y servicios: Procesos de TI, servicio de soporte de TI, etc.
- Unidades organizativas: Unidad Gerencial, Unidad de Soporte, etc.
- Ubicaciones: Oficina principal, oficina de backup, etc.
- Redes e infraestructura: Infraestructura de red interna
Por otra parte, estos materiales te ayudarán a definir el alcance en tu SGSI:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/